Information & Ethics Committee on Feb. 14th, 2017

Because we weren't dealing so much with consumers—our dealings were with organizations—we didn't have a lot of organizations coming forward and—

Well, that's right.

They were small businesses. What we found, generally speaking—though there were some exceptions, as you would expect—that there was an incredibly low level of awareness of PIPEDA and what was required of an organization to ensure that it was collecting the least amount of information needed for the purpose, and that it didn't keep personal information longer than it had appropriate need for it, and those kinds of things.

We found that those rules weren't being followed.

Absolutely.

One investigation that pops to mind was of a new start-up selling widgets on the net. They were clearly very excited about their new business and didn't think about privacy. What they were focused on was being a nice start-up on the internet, until one of their customers said, I've been defrauded of so many thousands of dollars. The start-up did not find the breach themselves. Then another customer said, I've been defrauded. Then everyone tracked it down to them, and sure enough, it was them.

There are tons of examples like that. In fact, many big companies will tell you that their weakest link is the SMEs that are in their supply chain. Much of the attention is turning there.

The answer to your question, then, is yes, absolutely there is harm.

Oh, oh!

The only way we can protect them is to work now at making sure that by the time our adequacy status comes under review in Europe, we have shored up our privacy protections to that level. It doesn't mean that they're exactly the same, but that the Europeans will find them adequate. Otherwise, every time we want to deal with Europe—a market of 500 million people who have money, so we want to have that competitive advantage—we will have to go through very onerous clauses.

The answer to your question goes back to what I said to Mr. Massé: we need to shore up the act now so that it passes the test after 2018.

Perhaps I could have a few words?

The Quebec data protection law was deemed substantially similar to PIPEDA. We've had this law since 1993. It's probably the most stringent across Canada. Europe looked at our law in 2014 and decided that it was not adequate—that there was question mark in its regard. So I have an issue with the adequacy of Europe's assessment or methodology.

Ideally, of course, we would like to pass that test, but I still have some concerns.

Actually, if we follow the European model, it is annual revenues. The Chair was speaking about divergent views, but I think there's some congruence here between us. Ms. Gratton said that we have to make sure that we take into account the circumstances of the organization. Gary Dickson spoke of SMEs and how they are more sensitive to fines. Using a percentage, I feel, is fairer because then you don't slap a million dollar fine on a small company. A percentage would fit the gravity of an offence and would be fairer in practice.

I believe our proposal doesn't try to pick out which sites. It's based more on an adjustment to consent. In the United States, as you know, there's a requirement not to take the information of children under the age of 13. That should be standard here in Canada. It's not in the act. Europe now, with the general data protection, is going to require parental consent up to age 16 for most matters.

There is a body of social sciences research on this, on the developing maturation of the teen brain and at what point they can understand to give valid consent. It's similar to medical consent. There could be just basically those sorts of rough rules so that, as a teenager under 16, you would be protected from handing out your personal information to, for example, third-party processing. We did a paper on this, called “All in the Data Family”, which is on our website. It goes through a proposal that we made.

The last thing is, for children who may have given consent under the age of majority, our proposal was also that they have a choice, when they reach the age of 18 or 19, depending on the province, about whether to authorize the company that collected it to continue to use the information. We call it a “get out of data jail free” card. That might be something for the committee to consider.

Those were the kinds of proposals we were thinking about.